Deploy Intranet SEC-5 non-root image to GX10

Pin localhost/fc-intranet-web:v20260617-sec5-intranet-1abdf90 and apply restricted pod/container security contexts plus writable /data, /tmp, and /app/logs mounts.
2026-06-17 08:18:31 -05:00
parent cf8cc4ba54
commit 18f4f657f8
1 changed files with 58 additions and 23 deletions
--- a/apps-gx10/intranet/deployment-intranet-web.json
+++ b/apps-gx10/intranet/deployment-intranet-web.json
@@ -49,13 +49,17 @@
                "name": "IntranetSearch__Enabled",
                "value": "true"
              },
-              {
-                "name": "PageReadingOverrides__DatabasePath",
-                "value": "/data/page-reading-overrides.db"
-              },
-              {
-                "name": "KnowledgeFleetSearch__BaseUrl",
-                "value": "https://knowledge.iamworkin.lan"
+              {
+                "name": "PageReadingOverrides__DatabasePath",
+                "value": "/data/page-reading-overrides.db"
+              },
+              {
+                "name": "FlowerCore__Theme__DatabasePath",
+                "value": "/data/intranet-theme.db"
+              },
+              {
+                "name": "KnowledgeFleetSearch__BaseUrl",
+                "value": "https://knowledge.iamworkin.lan"
              },
              {
                "name": "KnowledgeFleetSearch__ApiKey",
@@ -78,9 +82,18 @@
                }
              }
            ],
-            "image": "localhost/fc-intranet-web:gx10-v1",
-            "imagePullPolicy": "Never",
-            "livenessProbe": {
+            "image": "localhost/fc-intranet-web:v20260617-sec5-intranet-1abdf90",
+            "imagePullPolicy": "Never",
+            "securityContext": {
+              "allowPrivilegeEscalation": false,
+              "capabilities": {
+                "drop": [
+                  "ALL"
+                ]
+              },
+              "readOnlyRootFilesystem": true
+            },
+            "livenessProbe": {
              "failureThreshold": 3,
              "httpGet": {
                "path": "/health",
@@ -129,19 +142,33 @@
                "mountPath": "/data",
                "name": "vector-store"
              },
-              {
-                "mountPath": "/srv/flowercore-notes",
-                "name": "notes-corpus",
-                "readOnly": true
-              }
-            ]
+              {
+                "mountPath": "/srv/flowercore-notes",
+                "name": "notes-corpus",
+                "readOnly": true
+              },
+              {
+                "mountPath": "/tmp",
+                "name": "temp"
+              },
+              {
+                "mountPath": "/app/logs",
+                "name": "logs"
+              }
+            ]
          }
        ],
        "dnsPolicy": "ClusterFirst",
        "restartPolicy": "Always",
        "schedulerName": "default-scheduler",
-        "securityContext": {},
-        "terminationGracePeriodSeconds": 30,
+        "securityContext": {
+          "fsGroup": 1654,
+          "fsGroupChangePolicy": "OnRootMismatch",
+          "runAsGroup": 1654,
+          "runAsNonRoot": true,
+          "runAsUser": 1654
+        },
+        "terminationGracePeriodSeconds": 30,
        "volumes": [
          {
            "name": "vector-store",
@@ -149,11 +176,19 @@
              "claimName": "intranet-vector-store"
            }
          },
-          {
-            "emptyDir": {},
-            "name": "notes-corpus"
-          }
-        ]
+          {
+            "emptyDir": {},
+            "name": "notes-corpus"
+          },
+          {
+            "emptyDir": {},
+            "name": "temp"
+          },
+          {
+            "emptyDir": {},
+            "name": "logs"
+          }
+        ]
      }
    }
  }